Adobe 38043740 Lockdown Guide - Page 60
Cross Site Scripting attacks, Default ScriptSrc
UPC - 883919135168
View all Adobe 38043740 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 60 highlights
Setting Enable Global Script Protection Default ScriptSrc Directory Default Unchecked /CFIDE/scripts/ Recommendation Description Understand limitations, Checked This setting provides very limited protection against certain Cross Site Scripting attack vectors. It is important to understand that enabling this setting does not protect your site from all possible Cross Site Scripting attacks. When this setting is turned on it uses a regular expression defined in the file neo-security.xml to replace input variables containing following tags: object, embed, script, applet, meta with InvalidTag. This setting does not restrict any javascript strings that may be injected and executed, iframe tags, or any XSS obfuscation techniques. See Appendix A.13 for more information on XSS attack vectors. /somewhere-else/ Because the scripts directory also contains CFML source code (such as FCKeditor), you should move this directory to a non-default location. 60